Presentation is loading. Please wait.

Presentation is loading. Please wait.

Embry-Riddle Aeronautical University Prescott, Arizona

Published byRussell Williamson Modified over 9 years ago

Similar presentations

Presentation on theme: "Embry-Riddle Aeronautical University Prescott, Arizona"— Presentation transcript:

1 Embry-Riddle Aeronautical University Prescott, Arizona
Explaining the Buffer Overflow Problem: Instructional Design and Evaluation in Information Security Education Embry-Riddle Aeronautical University Prescott, Arizona

2 Grant Overview (**Author)
NSF Federal Cyber Service “Scholarships for Service” Institutional Capacity-building Award No College of Engineering ** Dr. Susan L. Gerhart Dr. Matthew S. Jaffe Dr. Paul Hriljac Science, Technology, Globalization Program Dr. Richard Bloom Consultants ** Dr. Jan G. Hogle (Ed. Tech.) ** Jedidiah Crandall (Student) Science, Technology, and Glob

3 Grant Overview Goals interactive modules for undergraduate curricula
The Buffer Overflow problem Cryptography Interdependent Security Dimensions Personnel Screening Increased Student Interest in Security, possible degree program Dissemination to other universities

4 Buffer Overflow Module: The Problem
Buffer Overflow: When data is written outside the bounds of its allocated memory Vulnerabilities: Attacker can “hijack” program execution overwrite security-sensitive data in memory cause a program crash leading to Denial-of-Service or a core dump of security-sensitive data

5 Buffer Overflow Module: Motivation
Pervasive and costly “public enemy #1” >½ CERT alerts Improve software engineering practice Hook for introducing security in several courses Good application for interactive educational technology

6 Buffer Overflow Module: Approach
Demo: Simulated abstract machine (Java Applets) Instructional Methodology: Audiences: Programmer, Tester, Journalist, IT Manager Goals/objectives: What to learn, how to measure learning Evaluation: Interviews, questionnaires, quizzes, …

7 Buffer Overflow Module: Interactive Educational Package
Stand-alone Authorware + Website Explanations of Attacks and Defenses Demo Applets and Instructor Guide Links, Code Red case study Quiz and Scavenger Hunt Courses: Programming, languages, operating systems, software engineering, security Requires: 30 min. to demo + prerequisite introduction + depth (depends on course) Results: Rapid learning, high impact presentation, learner engagement, retention

8 Demo http://nsfsecurity.pr.erau.edu/bom
Stacks How a typical C compiler uses run-time stacks Spock How security-sensitive data can be overwritten Smasher How program execution can be diverted away from the normal program execution path StackGuard How one particular defense against stack smashing works

9 Evaluation Needs Analysis Matrix Formative Evaluation
Pre-quiz: memory, C, SE practice Post (interview, questionnaire): New? Understandable? Useful? Suggestions: color change, spock? Website traffic high 33,000 page views since Aug. 2002 Average 25 visitors/day, 4 pages/visitor >50% international

10 Lessons Learned Carefully defining audience paid off
“Interactivation” is hard! Professors aren’t comfortable, students are natural Must abstract from processes, like B.O. Quizzes, scavenger hunts easy and fun What’s learning? What’s gratuitous Hard to obtain feedback – forms hated

Download ppt "Embry-Riddle Aeronautical University Prescott, Arizona"

Similar presentations

Collaborative Research: Developing Course Modules to Teach Service-Oriented Programming through Exemplification and Visualization Xumin Liu, Rajendra K.

Collaborative Research: Developing Course Modules to Teach Service-Oriented Programming through Exemplification and Visualization Xumin Liu, Rajendra K.
Vulnerabilities in Embedded Harvard Architecture Processors Presented By: Michael J. Hohnka Cyber Vulnerabilities Lead Cyber Innovation Division Communications,

Vulnerabilities in Embedded Harvard Architecture Processors Presented By: Michael J. Hohnka Cyber Vulnerabilities Lead Cyber Innovation Division Communications,
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Buffer Overflow Intro. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Preventing Buffer Overflows (for C programmers)

Buffer Overflow Intro. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Preventing Buffer Overflows (for C programmers)
Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Causes Author: Jedidiah.

Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Causes Author: Jedidiah.
Lecture 0 CSIS10A Overview. Welcome to CSIS10A (5 mins) – Typical format for class meetings New material first (monitors off, notebooks out) Practice.

Lecture 0 CSIS10A Overview. Welcome to CSIS10A (5 mins) – Typical format for class meetings New material first (monitors off, notebooks out) Practice.
K. Salah1 Buffer Overflow The crown jewel of attacks.

K. Salah1 Buffer Overflow The crown jewel of attacks.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Computer Science and Computer Engineering. parts of the computer.

Computer Science and Computer Engineering. parts of the computer.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
WBL on Learning Indonesian Title: ‘Rumahku’ (My home)

WBL on Learning Indonesian Title: ‘Rumahku’ (My home)
Stack buffer overflow http://en.wikipedia.org/wiki/Stack_buffer_overflow.

Stack buffer overflow
CSC 171 – FALL 2004 COMPUTER PROGRAMMING LECTURE 0 ADMINISTRATION.

CSC 171 – FALL 2004 COMPUTER PROGRAMMING LECTURE 0 ADMINISTRATION.
Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. Software Engineering Lifecycle Authors: Jan G. Hogle,

Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. Software Engineering Lifecycle Authors: Jan G. Hogle,
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.

Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
CS 1 with Robots CS1301 – Where it Fits Institute for Personal Robots in Education (IPRE)‏

CS 1 with Robots CS1301 – Where it Fits Institute for Personal Robots in Education (IPRE)‏
C Programmer Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: For C Programmers Author: Jedidiah.

C Programmer Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: For C Programmers Author: Jedidiah.
Texas Tech University NSF-SFS Workshop on Educational Initiatives in Cybersecurity for Critical Infrastructure Course Flow Diagrams May 2-3, 2013 Support.

Texas Tech University NSF-SFS Workshop on Educational Initiatives in Cybersecurity for Critical Infrastructure Course Flow Diagrams May 2-3, 2013 Support.
EECS 354 Network Security Introduction. Why Learn To Hack Understanding how to break into computer systems allows you to better defend them Learn how.

EECS 354 Network Security Introduction. Why Learn To Hack Understanding how to break into computer systems allows you to better defend them Learn how.
Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:

Similar presentations

Ads by Google